QID 375918

Date Published: 2021-10-06

QID 375918: Node.js Handlebar Module Prototype Pollution Vulnerability

Handlebars is an open-source framework created and maintained by GitHub.

The handlebars.js Package for Node.js is vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source. Affected Versions:
Versions prior to handlebars.js Package 4.7.7 are vulnerable.

QID Detection Logic:
This authenticated QID retrieves vulnerable handlebars versions by running npm list | grep 'handlebars'

An attacker can exploit this issue to execute arbitrary code with in the context of the affected application resulting into Remote Code Execution.

CVSS V3 rated as Critical - 9.8 severity.

CVSS V2 rated as High - 7.5 severity.

Solution

Customers are advised to upgrade to Node.js handlebars to or above 4.7.7 or the latest versions to remediate this vulnerability.

Vendor References

handlebars node.js - github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427

CVEs related to QID 375918

CVE-2021-23383 |

Software Advisories

Advisory ID	Software	Component	Link
CVE-2021-23383			nvd.nist.gov/vuln/detail/CVE-2021-23383

By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].